security-use 0.1.1__py3-none-any.whl → 0.2.9__py3-none-any.whl

security_use/__init__.py

@@ -1,10 +1,16 @@
 """security-use - Security scanning tool for dependencies and Infrastructure as Code."""
 
-__version__ = "0.1.1"
+__version__ = "0.2.9"
 
 from security_use.scanner import scan_dependencies, scan_iac
 from security_use.models import Vulnerability, IaCFinding, ScanResult
 
+# Sensor imports (lazy-loaded for optional dependencies)
+from security_use import sensor
+
+# Auth imports
+from security_use import auth
+
 __all__ = [
     "__version__",
     "scan_dependencies",
@@ -12,4 +18,6 @@ __all__ = [
     "Vulnerability",
     "IaCFinding",
     "ScanResult",
+    "sensor",
+    "auth",
 ]

security_use/auth/__init__.py

@@ -0,0 +1,16 @@
+"""Authentication module for SecurityUse dashboard integration."""
+
+from .config import AuthConfig, AuthToken, UserInfo, get_config_dir
+from .oauth import OAuthFlow, OAuthError, DeviceCode
+from .client import DashboardClient
+
+__all__ = [
+    "AuthConfig",
+    "AuthToken",
+    "UserInfo",
+    "OAuthFlow",
+    "OAuthError",
+    "DeviceCode",
+    "DashboardClient",
+    "get_config_dir",
+]

security_use/auth/client.py

@@ -0,0 +1,223 @@
+"""Dashboard API client for uploading scan results."""
+
+import platform
+from typing import Optional
+from datetime import datetime
+
+import httpx
+
+from .config import OAUTH_CONFIG, AuthConfig
+from .oauth import OAuthFlow, OAuthError
+from security_use import __version__
+from security_use.models import ScanResult
+
+
+class DashboardClient:
+    """Client for the SecurityUse dashboard API."""
+
+    def __init__(self, config: Optional[AuthConfig] = None):
+        self.config = config or AuthConfig()
+        self.api_url = OAUTH_CONFIG["api_url"]
+        self.oauth = OAuthFlow(self.config)
+
+    def _get_headers(self) -> dict:
+        """Get request headers with authentication."""
+        headers = {
+            "Accept": "application/json",
+            "Content-Type": "application/json",
+            "User-Agent": f"security-use-cli/{__version__}",
+        }
+
+        token = self.config.get_access_token()
+        if token:
+            headers["Authorization"] = f"Bearer {token}"
+
+        return headers
+
+    def _ensure_authenticated(self) -> None:
+        """Ensure user is authenticated, refresh token if needed."""
+        if not self.config.is_authenticated:
+            raise OAuthError("Not authenticated. Run 'security-use auth login' first.")
+
+        # Try to refresh if token is expired
+        if self.config.token and self.config.token.is_expired():
+            if self.config.token.refresh_token:
+                try:
+                    new_token = self.oauth.refresh_token(self.config.token.refresh_token)
+                    self.config.save_token(new_token, self.config.user)
+                except OAuthError:
+                    raise OAuthError(
+                        "Session expired. Run 'security-use auth login' to re-authenticate."
+                    )
+            else:
+                raise OAuthError(
+                    "Session expired. Run 'security-use auth login' to re-authenticate."
+                )
+
+    def upload_scan(
+        self,
+        result: ScanResult,
+        scan_type: str = "deps",
+        repo_name: Optional[str] = None,
+        branch: Optional[str] = None,
+        commit_sha: Optional[str] = None,
+    ) -> dict:
+        """Upload scan results to the dashboard.
+
+        Args:
+            result: The scan result to upload.
+            scan_type: Type of scan (deps, sast, iac, runtime).
+            repo_name: Optional repository name.
+            branch: Optional git branch name.
+            commit_sha: Optional git commit SHA.
+
+        Returns:
+            API response with scan ID and summary.
+
+        Raises:
+            OAuthError: If not authenticated or upload fails.
+        """
+        self._ensure_authenticated()
+
+        # Convert vulnerabilities and IaC findings to the expected format
+        findings = []
+
+        for vuln in result.vulnerabilities:
+            findings.append({
+                "finding_type": "vulnerability",
+                "category": "deps",
+                "severity": vuln.severity.value,
+                "title": vuln.title,
+                "description": vuln.description or "",
+                "recommendation": f"Upgrade to version {vuln.fixed_version}" if vuln.fixed_version else "No fix available",
+                "cve_id": vuln.id,  # Vulnerability ID is typically the CVE ID
+                "package_name": vuln.package,
+                "package_version": vuln.installed_version,
+                "fixed_version": vuln.fixed_version,
+            })
+
+        for finding in result.iac_findings:
+            findings.append({
+                "finding_type": "misconfiguration",
+                "category": "iac",
+                "severity": finding.severity.value,
+                "title": finding.title,
+                "description": finding.description or "",
+                "file_path": finding.file_path,
+                "line_number": finding.line_number,
+                "recommendation": finding.remediation or "",
+            })
+
+        payload = {
+            "scan_type": scan_type,
+            "status": "completed",
+            "findings": findings,
+            "metadata": {
+                "cli_version": __version__,
+                "os": platform.system().lower(),
+                "repo_name": repo_name,
+                "branch": branch,
+                "commit_sha": commit_sha,
+            },
+        }
+
+        try:
+            with httpx.Client(timeout=60.0) as client:
+                response = client.post(
+                    f"{self.api_url}/scan-upload",
+                    json=payload,
+                    headers=self._get_headers(),
+                )
+
+                if response.status_code == 401:
+                    raise OAuthError(
+                        "Authentication failed. Run 'security-use auth login' to re-authenticate."
+                    )
+
+                if response.status_code == 403:
+                    raise OAuthError(
+                        "Insufficient permissions. Token lacks scan:upload scope."
+                    )
+
+                if response.status_code not in (200, 201):
+                    raise OAuthError(f"Failed to upload scan: {response.text}")
+
+                return response.json()
+
+        except httpx.RequestError as e:
+            raise OAuthError(f"Network error: {e}")
+
+    def get_scans(
+        self,
+        project_name: Optional[str] = None,
+        limit: int = 10,
+    ) -> list[dict]:
+        """Get recent scans from the dashboard.
+
+        Args:
+            project_name: Optional filter by project name.
+            limit: Maximum number of scans to return.
+
+        Returns:
+            List of scan summaries.
+
+        Raises:
+            OAuthError: If not authenticated or request fails.
+        """
+        self._ensure_authenticated()
+
+        params = {"limit": limit}
+        if project_name:
+            params["project"] = project_name
+
+        try:
+            with httpx.Client(timeout=30.0) as client:
+                response = client.get(
+                    f"{self.api_url}/v1/scans",
+                    params=params,
+                    headers=self._get_headers(),
+                )
+
+                if response.status_code == 401:
+                    raise OAuthError(
+                        "Authentication failed. Run 'security-use auth login' to re-authenticate."
+                    )
+
+                if response.status_code != 200:
+                    raise OAuthError(f"Failed to fetch scans: {response.text}")
+
+                return response.json().get("scans", [])
+
+        except httpx.RequestError as e:
+            raise OAuthError(f"Network error: {e}")
+
+    def get_projects(self) -> list[dict]:
+        """Get list of projects for the authenticated user.
+
+        Returns:
+            List of projects.
+
+        Raises:
+            OAuthError: If not authenticated or request fails.
+        """
+        self._ensure_authenticated()
+
+        try:
+            with httpx.Client(timeout=30.0) as client:
+                response = client.get(
+                    f"{self.api_url}/v1/projects",
+                    headers=self._get_headers(),
+                )
+
+                if response.status_code == 401:
+                    raise OAuthError(
+                        "Authentication failed. Run 'security-use auth login' to re-authenticate."
+                    )
+
+                if response.status_code != 200:
+                    raise OAuthError(f"Failed to fetch projects: {response.text}")
+
+                return response.json().get("projects", [])
+
+        except httpx.RequestError as e:
+            raise OAuthError(f"Network error: {e}")

security_use/auth/config.py

@@ -0,0 +1,177 @@
+"""Authentication configuration and token storage."""
+
+import json
+import os
+from dataclasses import dataclass, asdict
+from pathlib import Path
+from typing import Optional
+from datetime import datetime, timedelta
+
+
+# OAuth configuration
+OAUTH_CONFIG = {
+    "client_id": "security-use-cli",
+    "auth_url": "https://lhirdknhtzkqynfavdao.supabase.co/functions/v1/oauth-device-code",
+    "token_url": "https://lhirdknhtzkqynfavdao.supabase.co/functions/v1/oauth-token",
+    "api_url": "https://lhirdknhtzkqynfavdao.supabase.co/functions/v1",
+    "scopes": ["read", "write", "scan:upload"],
+}
+
+
+def get_config_dir() -> Path:
+    """Get the configuration directory path."""
+    # Use XDG_CONFIG_HOME on Linux, or platform-specific defaults
+    if os.name == "nt":  # Windows
+        config_dir = Path(os.environ.get("APPDATA", "~")).expanduser() / "security-use"
+    else:  # macOS/Linux
+        xdg_config = os.environ.get("XDG_CONFIG_HOME")
+        if xdg_config:
+            config_dir = Path(xdg_config) / "security-use"
+        else:
+            config_dir = Path.home() / ".config" / "security-use"
+
+    config_dir.mkdir(parents=True, exist_ok=True)
+    return config_dir
+
+
+def get_config_file() -> Path:
+    """Get the configuration file path."""
+    return get_config_dir() / "config.json"
+
+
+def get_token_file() -> Path:
+    """Get the token file path."""
+    return get_config_dir() / "credentials.json"
+
+
+@dataclass
+class AuthToken:
+    """OAuth token data."""
+    access_token: str
+    refresh_token: Optional[str] = None
+    token_type: str = "Bearer"
+    expires_at: Optional[str] = None
+    scope: Optional[str] = None
+
+    def is_expired(self) -> bool:
+        """Check if the token is expired."""
+        if not self.expires_at:
+            return False
+        try:
+            expires = datetime.fromisoformat(self.expires_at)
+            return datetime.utcnow() >= expires
+        except ValueError:
+            return False
+
+    def to_dict(self) -> dict:
+        """Convert to dictionary."""
+        return asdict(self)
+
+    @classmethod
+    def from_dict(cls, data: dict) -> "AuthToken":
+        """Create from dictionary."""
+        return cls(
+            access_token=data["access_token"],
+            refresh_token=data.get("refresh_token"),
+            token_type=data.get("token_type", "Bearer"),
+            expires_at=data.get("expires_at"),
+            scope=data.get("scope"),
+        )
+
+
+@dataclass
+class UserInfo:
+    """Authenticated user information."""
+    user_id: str
+    email: str
+    name: Optional[str] = None
+    org_id: Optional[str] = None
+    org_name: Optional[str] = None
+
+    def to_dict(self) -> dict:
+        """Convert to dictionary."""
+        return asdict(self)
+
+    @classmethod
+    def from_dict(cls, data: dict) -> "UserInfo":
+        """Create from dictionary."""
+        return cls(
+            user_id=data["user_id"],
+            email=data["email"],
+            name=data.get("name"),
+            org_id=data.get("org_id"),
+            org_name=data.get("org_name"),
+        )
+
+
+class AuthConfig:
+    """Manages authentication configuration and tokens."""
+
+    def __init__(self):
+        self._token: Optional[AuthToken] = None
+        self._user: Optional[UserInfo] = None
+        self._load()
+
+    def _load(self) -> None:
+        """Load credentials from file."""
+        token_file = get_token_file()
+        if token_file.exists():
+            try:
+                data = json.loads(token_file.read_text())
+                if "token" in data:
+                    self._token = AuthToken.from_dict(data["token"])
+                if "user" in data:
+                    self._user = UserInfo.from_dict(data["user"])
+            except (json.JSONDecodeError, KeyError):
+                pass
+
+    def _save(self) -> None:
+        """Save credentials to file."""
+        token_file = get_token_file()
+        data = {}
+        if self._token:
+            data["token"] = self._token.to_dict()
+        if self._user:
+            data["user"] = self._user.to_dict()
+
+        token_file.write_text(json.dumps(data, indent=2))
+
+        # Set restrictive permissions on token file (Unix only)
+        if os.name != "nt":
+            os.chmod(token_file, 0o600)
+
+    @property
+    def token(self) -> Optional[AuthToken]:
+        """Get the current auth token."""
+        return self._token
+
+    @property
+    def user(self) -> Optional[UserInfo]:
+        """Get the current user info."""
+        return self._user
+
+    @property
+    def is_authenticated(self) -> bool:
+        """Check if user is authenticated."""
+        return self._token is not None and not self._token.is_expired()
+
+    def save_token(self, token: AuthToken, user: Optional[UserInfo] = None) -> None:
+        """Save authentication token and user info."""
+        self._token = token
+        if user:
+            self._user = user
+        self._save()
+
+    def clear(self) -> None:
+        """Clear all stored credentials."""
+        self._token = None
+        self._user = None
+        token_file = get_token_file()
+        if token_file.exists():
+            token_file.unlink()
+
+    def get_access_token(self) -> Optional[str]:
+        """Get the access token if authenticated."""
+        if self.is_authenticated and self._token:
+            return self._token.access_token
+        return None